Additionally, since the emulator operates at the CPU instruction level, it
is immune to algorithmic changes in the unpacker and can be used against unknown
Gray Hat Hacking: The Ethical Hacker??™s Handbook
532
Figure 21-3 Trapped library call in x86emu
unpackers with no changes. Finally, the emulator is immune to debugger and virtual
machine detection techniques. Disadvantages include that the true behavior, such as
network connections, of a binary can??™t be observed, and at present the complete x86
instruction set is not emulated. As the emulator was primarily designed for unpacking,
neither of these limitations tends to come into play.
I Have Unpacked a Binary??”Now What?
Once an unpacked binary has been obtained, more traditional analysis techniques can
be employed. Remember, however, that if your goal is to perform black-box analysis of a
running malware sample, that unpacking was probably not necessary in the first place.
Having gone to the trouble of unpacking a binary, the most logical next step is analysis
using a disassembler. It is worth noting that at this point a strings analysis should be performed
on the unpacked binary to obtain a very rough idea of some of the things that
the binary may attempt to do.
Pages:
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925